How to configure simp::ssd::client when using LDAP and ppolicy

[David Cooke]

Unless I'm missing something there isn't much provision for configuring simp::ssd::client.

I'm setting up to use LDAP and migrate data from an existing LDAP server to this new one.   We use server side ppolicy and so have no use for the shadowAccount objectClass.  Unfortunately simp::ssd::client seems to assume the use of shadowAccount anyway.  The only way I've found to change this is to edit modules/simp/manifests/sssd/client.pp:

change from this:

      sssd::provider::ldap { 'LDAP':
        ldap_default_authtok_type => 'password',
        ldap_user_gecos           => 'dn'
      }

 to this:

      sssd::provider::ldap { 'LDAP':
        ldap_pwd_policy           => 'none',
        ldap_access_order         => ['lockout'],
        ldap_default_authtok_type => 'password',
        ldap_user_gecos           => 'dn'
      }

Why?
Setting ldap_pwd_policy to 'none' instead of sssd::provider::ldap default of 'shadow' turns off client side checking and allows use of server side ppolicy unimpeded.
Set ldap_access_order to ['lockout'] instead of the sssd::provider::ldap default of ['expire','lockout'] because 'expire' depends shadowAccount.  Even better would be to set to ['ppolicy'], since 'ppolicy' has superseded 'lockout' but sssd::provider::ldap doesn't recognise 'ppolicy' yet.

[Trevor Vaughan]

Hi David,

Thanks for the input, we'll definitely take a look and see how we can make this easier overall.

We've been digging into the SSSD module recently due to some IPA work so we can try to pull this into the fold.

I've created SIMP-4351 for tracking purposes.

Thanks,

Trevor

--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/e2f289c2-6bfb-4b9a-bd75-e92d95db8b25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[mark....@soteradefense.com]

Trevor,

What's the expected timeline for the IPA work to be released?  

Is the github SSSD module's IPA working?

We have a hacked version of IPA running in SIMP 5, but are in process of transitioning to 6 due to puppet3 EOL.

Thanks in advance,

Mark Kraft

To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp/e2f289c2-6bfb-4b9a-bd75-e92d95db8b25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Trevor Vaughan]

We think that we have everything working on the client side now and we're working on a release of the RPMs within the next three weeks and a full release "soonish" after that.

Thanks,

Trevor

To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/b99cbedf-8cd3-4834-8fa4-0fcd3b84a7aa%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.